On Thu, Nov 02, 2023 at 07:49:09PM +0100, Philipp Stanner wrote: > dfl.c utilizes memdup_user() and array_size() to copy a userspace array. > Currently, this does not check for an overflow. array_size() actually checks for overflow, so please re-write the changelog. Thanks, Yilun > > Use the new wrapper memdup_array_user() to copy the array more safely. > > Suggested-by: Dave Airlie <airlied@xxxxxxxxxx> > Signed-off-by: Philipp Stanner <pstanner@xxxxxxxxxx> > --- > Linus recently merged this new wrapper for Kernel v6.7 > --- > drivers/fpga/dfl.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c > index dd7a783d53b5..e69b9f1f2a50 100644 > --- a/drivers/fpga/dfl.c > +++ b/drivers/fpga/dfl.c > @@ -2008,8 +2008,8 @@ long dfl_feature_ioctl_set_irq(struct platform_device *pdev, > (hdr.start + hdr.count < hdr.start)) > return -EINVAL; > > - fds = memdup_user((void __user *)(arg + sizeof(hdr)), > - array_size(hdr.count, sizeof(s32))); > + fds = memdup_array_user((void __user *)(arg + sizeof(hdr)), > + hdr.count, sizeof(s32)); > if (IS_ERR(fds)) > return PTR_ERR(fds); > > -- > 2.41.0 >
